LDP Security Mechanisms

MD5 Authentication

MD5 authentication is a standard digest algorithm defined in RFC. A typical application of MD5 is to calculate a message digest to prevent message spoofing. The MD5 message digest is a unique result calculated by an irreversible character string conversion. If a message is modified during transmission, a different digest is generated. After the message arrives at the receiver, the receiver can determine whether the packet has been modified by comparing the received digest with the pre-calculated digest.

MD5 generates a unique digest for an information segment, so LDP MD5 authentication can prevent LDP packets from being modified. This authentication is stricter than common checksum verification of TCP. The MD5 authentication process is as follows:

1. Before an LDP session message is sent over a TCP connection, the sender pads the TCP header with a unique digest. The digest is calculated using the MD5 algorithm based on the TCP header, LDP message, and configured password.

2. Upon receiving the TCP packet, the receiver obtains the TCP header, digest, and LDP session message, and then uses MD5 to calculate a digest based on the received TCP header, LDP session message, and locally stored password. The receiver compares the calculated digest with the received one to check whether the packet has been modified.

A password can be set in either cipher text or simple text. The simple-text password is directly saved in the configuration file. The cipher-text password is saved in the configuration file after being encrypted using a special algorithm. However, the character string entered by the user is used to calculate the digest, regardless of whether the password is in simple text or cipher text. That is, the cipher-text password does not participate in MD5 calculation. As devices from different vendors use proprietary password encryption algorithms, this digest calculation method shields differences of password encryption algorithms used on different devices.

Keychain Authentication

Compared with MD5, Keychain is an enhanced encryption algorithm that calculates a message digest for the same LDP message to prevent the message from being modified.

During Keychain authentication, a group of passwords are defined to form a password string. Each password is specified with encryption and decryption algorithms such as MD5 algorithm and SHA-1, and is configured with the validity period. When sending or receiving a packet, the system selects a valid password based on the user's configuration. Within the valid period of the password, the system uses the encryption algorithm matching the password to encrypt the packet before sending it out, or uses the decryption algorithm matching the password to decrypt the packet before accepting it. In addition, the system automatically uses a new password after the previous password expires, preventing the password from being decrypted.

The Keychain authentication password, the encryption and decryption algorithms, and the password validity period that constitute a Keychain configuration node are configured using different commands. A Keychain configuration node requires at least one password and encryption and decryption algorithms.

LDP GTSM

GTSM protects services by checking whether the TTL value in the IP header is within the pre-defined range. The prerequisites for using GTSM are as follows:

• The TTL of normal packets between routers is determined.

• It is difficult to change the TTL value.

LDP GTSM refers to GTSM implementation over LDP.

To protect the device against attacks, GTSM verifies the TTL in a packet. LDP GTSM is applied to LDP packets between neighbor or adjacent (based on a fixed number of hops) devices. The TTL range is preset on each device for packets from other devices. With GTSM enabled, if the TTL of an LDP packet received by a device configured with LDP is out of the TTL range, the packet is considered invalid and is discarded. This protects the upper-layer protocols.